Language

Articles

Trending Topic: Social Engineering Fraud

June 15, 2018

Share

Social engineering fraud is very difficult to identify. It requires much more work from fraudsters and promises much larger payoffs.

Similar to fraud trends in the B2B channel, average losses are much higher across a lower amount of orders. A majority of the time, these scams are focused on financial fraud. By that, I mean activity associated with moving large amounts of money via fence accounts or taking over accounts.

I’d like to share a few methods that blend old ways with new.

Last year I visited Brazil, my home country. While I was there, I spoke with some of my peers in fraud prevention. What they shared was perplexing, but sadly, not surprising.

As more sophisticated fraud controls have been deployed, it seems that fraudsters are going back to very unorthodox (and somewhat primitive) fraud schemes. I’d like to share a few in the interest of always knowing the threat we face together.

The ATM “lockdown”

Picture this: You’re at your usual Bank ATM. In routine fashion, you insert your card; however, as you move to enter your PIN, the machine emits an audible click. Your card has been eaten. Now what?

The machine obviously is faulty. What if your card is ejected for any passerby to grab?

Conveniently enough, the customer at the next machine has the exact same problem. In fact, he’s on the phone with the bank’s support team.

You know where this goes. The “customer” at the next ATM is anything but. Instead, he is just one player in the vast ecosystem that fuels social engineering fraud.

In this scenario, the fraudster seeks to exploit a moment of desperation. He insists that the victim, in a momentary state of panic, speak to the representative on the line.

This “representative” as you might have guessed, is also in on the con. The play here is to separate the victim from their PIN and other information in a fake attempt to “cancel” the card. The victim is told the process was successful and the tech will retrieve the card.

At the end of a successful con, both individuals leave. But the fraudsters return to retrieve the installed device, as well as the victim’s card from the ATM. With the victim’s card and PIN, the fraudsters can reap their rewards immediately.

Tracking this type of fraud is very difficult. Fraudsters have the victim’s card, PIN and are transacting at a “known” ATM. It’s almost as nefarious as the next scheme.

The “concerned” phone call

This is similar to the scenario I just described, but instead the victim receives a concerned phone call from their “bank” about some “abnormal” charges. The key here is that the “representative” is able to read several normal charges before the abnormal one. In order to pull off this scheme, fraudsters leverage intercepted mail and use real information to lure a customer into a false sense of security.

With their mind at ease, the victim comfortably relays his personal information. He’s assured that his card has been canceled and not to worry, that someone will pick up the card and return it to the bank for destruction. You guessed it—this courier simply returns the card to the fraudster, who will use the provided PIN to max the available line of credit.

In conclusion

These two are real examples of how fraudsters are using social engineering to trick people into providing all the information necessary to exploit existing relationships with financial institutions.

Preventing these scenarios will require customer education. Financial institutions should focus on the right channels they will use for alerts. But there’s no silver bullet for fraud prevention.

These trends need a more sophisticated approach to predicting and assessing risk. For the ATM lockdown scenario, my recommendation is to monitor high withdraw activity at certain ATMs, along with max withdraw charges. Fraudsters will often target specific ATMs to maximize the amount they can gain from each card.

For the phone call scenario, it all starts with customer education. Make sure you outline what customers should expect from your support representatives, such as stating that they will never require your PIN for identification. Here, additional controls can be placed based on customer ZIP code and out-of-pattern spending, as fraudsters will target a specific neighborhood but then spend with the card elsewhere.

We must all be vigilant against these threats and work together. I look forward to doing just that alongside my fellow fraud prevention professionals.

Emailage is not a consumer reporting agency. Therefore we do not create credit reports and we do not advise the use of email address risk scores for credit evaluation or certain other purposes including employment.